'Re: [pamldap] pam_ldap, RH 7.3, eDir 8.6.2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] pam_ldap, RH 7.3, eDir 8.6.2
From:       "Mack" <RAGAN_DAVIS () colstate ! edu>
Date:       2004-01-09 22:19:09
Message-ID: 3FFEE28B.1457.5365883 () localhost
[Download RAW message or body]

Hey,

Thanks for the reply.  I don't have any unix-type attributes in the ldap server.  Maybe 
that's the problem.  I think we'd have to extend the schema in order to make use of 
those attributes.  I ran the ldapsearch command you mentioned, and the only output I 
received was related to the objectClass filter (see output below).  None of the other 
filters returned information.  I'm not too concerned about it anymore, though, 
because I'm only doing this so that some of the other admins don't have to 
remember a linux account/pwd that's different than their novell.  Only a handfull of 
folks, so it's not big deal to create a dummy account with the same name as their 
novell account.  I will look into extending our ldap schema to include the posix stuff 
soon, though.

<<begin output>>
ldap_init( my.ldap.server, 0 )
filter: cn=ldap_user_name
requesting: cn sn loginShell homeDirectory uidNumber gidNumber objectClass 
version: 2

#
# filter: cn=ragan_davis
# requesting: cn sn loginShell homeDirectory uidNumber gidNumber objectClass 
#

# ldap_user_name, people, org
dn: cn=ldap_user_name,ou=people,o=org
sn: ldap_user_name
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: ndsLoginProperties
objectClass: bhPortalConfigRW
objectClass: bhPortalConfigSecretStore
objectClass: bhPortalConfig

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
<<end output>>

thanks for the help,
mack

On 9 Jan 2004 at 14:23, Shiqi X He wrote:

> 
> HI Mark,
> 
> I am having the similar issue as yours. Compiled the pam_ldap and
> nss_ldap from PADL against the openldap libraries on Solaris-8 system
> as ldap client.
> 
> What you got from the ldapsearch command?
> ldapsearch -h ldap-server-ip -x -v  -u "uid=login-name" -b
> "ou=users,o=hi" cn sn loginShell homeDIrectory uidNumber gidNumber
> objectClass
> 
> The following is the output from my Sun system:
> 
> ldap_init( ldap-server-ip, 0 )
> filter: uid=login-name
> requesting: -b ou=users,o=hi cn sn loginShell homeDIrectory uidNumber
> gidNumber objectClass # extended LDIF # # LDAPv3 # base <> with scope
> sub # filter: uid=login-name # requesting: -b ou=users,o=hi cn sn
> loginShell homeDIrectory uidNumber gidNumber objectClass #
> 
> # LOGIN-NAME, USERS, HI
> dn: cn=login-name,ou=USERS,o=HI
> ufn: LOGIN-NAME, USERS, HI
> loginShell: /bin/ksh
> homeDIrectory: /export/home/login-name
> gidNumber: 10
> uidNumber: 1000
> sn: He
> objectClass: inetOrgPerson
> objectClass: HiEmployee
> objectClass: HiPreferences
> objectClass: organizationalPerson
> objectClass: person
> objectClass: ndsLoginProperties
> objectClass: top
> objectClass: posixAccount
> objectClass: account
> cn: login-name
> 
> # search result
> search: 2
> result: 0 Success                      <=======================
> 
> # numResponses: 2
> # numEntries: 1
> 
> 
> Looks like the objectClass shadowAccount  is missed and   0 Success on
> the result.
> 
> I think there might be something no setup right on the ldap server
> side (Novell e-directory, in this case)
> 
> I am still workingon this issue.
> 
> 
> Erik S.He
> 
> 
> 
> 
>                          "Mack"                                  
>                          <RAGAN_DAVIS@colstate  To:   
>                          pamldap@padl.com                             
>                               .edu>                  cc:   
>                          sunny@opencurve.org                          
>                               Sent by:               Subject: Re:
>                          [pamldap] pam_ldap, RH 7.3, eDir 8.6.2      
>                          owner-pamldap@PADL.CO                        
>                                    M                                  
>                          
> 
> 
>                          01/07/2004 08:07 AM                          
>                                  
> 
> 
> 
> 
> 
> 
> Thanks for the reply sunny.  Here's a copy of /etc/ldap.conf w/ fake
> hostname:
> 
> host ldaphost.colstate.edu
> port 636
> base o=csu
> ssl yes
> ldap_version 3
> scope sub
> pam_login_attribute cn
> pam_password clear
> pam_password nds
> 
> "ldaphost.colstate.edu" is a Novell NetWare 6 server running eDir
> 8.6.2. Assume that my linux box is RH7.3 and is named "mybox".  I can
> login to mybox (via ssh or console) using my novell username & pwd
> ONLY if there a local account with the same name.  Doesn't even have
> to have a local home dir or pwd...just an account.  If there isn't a
> matching local account, then I get something like "no further
> 
> authentication methods available".  So, obviously the ldap
> authentication is working, but how to get around this business of
> needing a local account that matches your novell account?
> 
> Here's a copy of /etc/nsswitch.conf:
> 
> passwd:            files nisplus ldap
> shadow:            files nisplus ldap
> group:                         files nisplus ldap
> 
> hosts:                         files nisplus dns
> 
> bootparams:        nisplus [NOTFOUND=return] files
> 
> ethers:                        files
> netmasks:          files
> networks:          files
> protocols:         files nisplus ldap
> rpc:                     files
> services:          files nisplus ldap
> 
> netgroup:          files nisplus ldap
> 
> publickey:         nisplus
> 
> automount:         files nisplus ldap
> aliases:                       files nisplus
> 
> I originally began the configuration of pam_ldap by running
> "authconfig". Once I did this, I tweaked "/etc/ldap.conf" to be what
> you see above.  The file "/etc/nsswitch.conf" was never touched (by
> me, anyway).  I think the root of the problem lies somewhere in one of
> the pam layers, like in systemauth.  Any ideas?
> 
> Side note:  I also use pam_ldap on a suse9 box, which experiences the
> same problem (need a matching local account).  However, on the suse9
> box, I can use "uri ldaps://ldaphost.colstate.edu" instead of "host
> ldaphost.colstate.edu" and "port 636" in "/etc/ldap.conf".  Never
> could get the uri method to work on RH.
> 
> thanks,
> mack
> 
> 
> On 7 Jan 2004 at 0:33, Sunny Dubey wrote:
> 
> > On Tuesday 06 January 2004 01:31 pm, Mack wrote:
> > > Hi!
> > >
> > > From RH 7.3 box, or via ssh to said box, I have ldap
> > > authentication working against Novell eDir 8.6.2 *IF* the ldap
> > > user is also a local linux user. However, I cannot authenticate if
> > > the ldap user is not a local user.  Maybe I missed something.  Any
> > > hints, tips, tricks or suggestions are appreciated.  I can include
> > > config if needed.
> >
> > Please take my words with a grain of salt ...
> >
> > I believe you need nss-ldap ?  Possibly to work with nsswitch
> > (/etc/nsswitch.conf) to get around needing a local user.
> >
> > Sunny Dubey
> >
> > PS:  I would love you see your config files, I always have a hard
> > time getting edir to work with ldap.  The ds trace thingies never
> > seem to help much.  (I'm not a novell person at all, doh)
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by the CSU Email Gateway, and is
> > believed to be clean.
> >
> 
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content by the CSU Email Gateway, and is
> believed to be clean.
> 
> 
> 
> 
> 
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by the CSU Email Gateway, and is
> believed to be clean.
> 



-- 
This message has been scanned for viruses and
dangerous content by the CSU Email Gateway, and is
believed to be clean.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic